INFO: task hung in __do_page_fault

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: b7e40c3d Merge 4.14.75 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=153cc5a1400000
kernel config: https://syzkaller.appspot.com/x/.config?x=83372ecdbe063bdb
dashboard link: https://syzkaller.appspot.com/bug?extid=fc205e4925d4f926f3ff
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14935e5e400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17f8634e400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fc205e...@syzkaller.appspotmail.com

INFO: task syz-executor498:8201 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor498 D28920 8201 1957 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
__do_page_fault+0x868/0xb60 arch/x86/mm/fault.c:1361
page_fault+0x42/0x50 arch/x86/entry/entry_64.S:1104
RIP: 6e1320:0x2d
RSP: 0001:00007ffdfd0ffd90 EFLAGS: 00000001
INFO: task syz-executor498:8208 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor498 D28856 8208 1957 0x80000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447209
RSP: 002b:00007fb46a086da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000006dcc28 RCX: 0000000000447209
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dcc28
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c
R13: 6e69752f7665642f R14: 00007fb46a0879c0 R15: 0000000000000000
INFO: task syz-executor498:8214 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor498 D29488 8214 1957 0x80000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447209
RSP: 002b:00007fb46a044da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000006dcc48 RCX: 0000000000447209
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dcc48
RBP: 00000000006dcc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc4c
R13: 6e69752f7665642f R14: 00007fb46a0459c0 R15: 0000000000000003

Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffffad002247>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
2 locks held by getty/1759:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffadb2f070>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffadb2a5ef>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor498/8201:
#0: (&mm->mmap_sem){++++}, at: [<ffffffffaceb4368>]
__do_page_fault+0x868/0xb60 arch/x86/mm/fault.c:1361
1 lock held by syz-executor498/8208:
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor498/8214:
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffffacee5962>] do_exit+0x512/0x2800
kernel/exit.c:852

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.75+ #18
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 8212 Comm: syz-executor498 Not tainted 4.14.75+ #18
task: ffff8801da9d2f00 task.stack: ffff8801cdd60000
RIP: 0010:preempt_latency_start kernel/sched/core.c:3141 [inline]
RIP: 0010:preempt_count_add+0xa7/0x130 kernel/sched/core.c:3164
RSP: 0018:ffff8801cdd67a80 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffffffae649df1 RCX: 1ffff1003b53a6e5
RDX: 1ffff1003b53a805 RSI: 0000000000000000 RDI: ffff8801da9d4028
RBP: ffff8801cdd67a90 R08: ffffffffad200234 R09: 0000000000000000
R10: ffff8801cdd67c40 R11: 0000000000000000 R12: ffff8801da9d2f00
R13: 0000000000000000 R14: ffff8801cdf3cf60 R15: ffffffffad200234
FS: 00007fb46a066700(0000) GS:ffff8801db800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001f88 CR3: 00000001cde9c004 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__mutex_lock_common kernel/locking/mutex.c:755 [inline]
__mutex_lock+0xd1/0x1480 kernel/locking/mutex.c:893
perf_mmap+0x514/0x1370 kernel/events/core.c:5402
call_mmap include/linux/fs.h:1787 [inline]
mmap_region+0x836/0xfb0 mm/mmap.c:1731
do_mmap+0x551/0xb80 mm/mmap.c:1509
do_mmap_pgoff include/linux/mm.h:2167 [inline]
vm_mmap_pgoff+0x180/0x1d0 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1559 [inline]
SyS_mmap_pgoff+0xf8/0x1a0 mm/mmap.c:1517
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447209
RSP: 002b:00007fb46a065d98 EFLAGS: 00000212 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 0000000000447209
RDX: 0000000000000000 RSI: 0000000000002000 RDI: 0000000020bf0000
RBP: 00000000006dcc30 R08: 0000000000000006 R09: 0000000000000000
R10: 0000000000004011 R11: 0000000000000212 R12: 00000000006dcc3c
R13: 6e69752f7665642f R14: 00007fb46a0669c0 R15: 0000000000000001
Code: 00 85 c0 75 35 65 4c 8b 24 25 c0 de 01 00 49 8d bc 24 28 11 00 00 48
b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 <75> 6b 49 89
9c 24 28 11 00 00 5b 41 5c 5d c3 31 ff 31 db e8 61


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=10ea4524c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=5c31404f4d0b8919bb24
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a89a4cc00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157ab63f400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+5c3140...@syzkaller.appspotmail.com

binder_alloc: binder_alloc_mmap_handler: 4433 20001000-20004000 already
mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4435 20001000-20004000 already
mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4436 20001000-20004000 already
mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4445 20001000-20004000 already
mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4444 20001000-20004000 already
mapped failed -16
INFO: task syz-executor029:2188 blocked for more than 140 seconds.
Not tainted 4.4.174+ #4

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

syz-executor029 D ffff8800b5b6fd30 29904 2188 2186 0x00000004
ffff8800b5b6fd30 0000000000000006 ffff8800b4df5f00 dffffc0000000000
ffff8800b5b6fd18 ffffffff811fef00 ffff8801db61f180 ffff8801db61f1a8
ffff8801db61e898 ffff8800ba84df00 ffff8800b4df5f00 ffffed0016b6d001
Call Trace:
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82714a70>] rwsem_down_read_failed+0x220/0x380
kernel/locking/rwsem-xadd.c:250
[<ffffffff81add6b4>] call_rwsem_down_read_failed+0x14/0x30
arch/x86/lib/rwsem.S:90
[<ffffffff810aad4a>] __do_page_fault+0x58a/0x7f0 arch/x86/mm/fault.c:1189
[<ffffffff810ab008>] do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1306
[<ffffffff82719e35>] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:1064
1 lock held by syz-executor029/2188:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810aad4a>]
__do_page_fault+0x58a/0x7f0 arch/x86/mm/fault.c:1189
Sending NMI to all CPUs:

NMI backtrace for cpu 0

CPU: 0 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #4
task: ffff8801da6f4740 task.stack: ffff8800001d0000
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8800001d7c88 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001d7cb8 R08: 0000000000000018 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffd9998ad60 CR3: 00000001d62a0000 CR4: 00000000001606b0
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
000000000001b6c0 0000000000000008 ffff8800001d7cd8 ffffffff81092bee
0000000000000008 ffffffff82924260 ffff8800001d7d30 ffffffff81ab8252
Call Trace:
[<ffffffff81092bee>] nmi_raise_cpu_backtrace+0x5e/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab8252>] nmi_trigger_all_cpu_backtrace.cold+0xa1/0xae
lib/nmi_backtrace.c:85
[<ffffffff81092ca4>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b4762>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b4762>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b4762>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b4762>] watchdog.cold+0xd3/0xee kernel/hung_task.c:238
[<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1e 4c 89 e7 57 9d 0f 1f 44 00 00 e8 f1

NMI backtrace for cpu 1

CPU: 1 PID: 2199 Comm: syz-executor029 Not tainted 4.4.174+ #4
task: ffff8801d2b597c0 task.stack: ffff8801d2a88000
RIP: 0010:[<ffffffff81ad8e28>] [<ffffffff81ad8e28>] delay_tsc+0x38/0xc0
arch/x86/lib/delay.c:67
RSP: 0018:ffff8801d2a8f7e0 EFLAGS: 00000002
RAX: 0000000000000002 RBX: 00000178d22b7739 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff81b0abec RDI: 0000000000000001
RBP: ffff8801d2a8f800 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff83fdf1c6 R12: 00000178d22b74c6
R13: 0000000000000001 R14: 00000000000008fd R15: fffffbfff092dca5
FS: 00007f629f14a700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f629f149db8 CR3: 00000000b4deb000 CR4: 00000000001606b0
Stack:
ffffffff8496e4e0 000000000000270d 0000000000000020 fffffbfff092dce3
ffff8801d2a8f810 ffffffff81ad8d30 ffff8801d2a8f820 ffffffff81ad8d6a
ffff8801d2a8f870 ffffffff81cc45ff ffffed003a551f24 ffffffff8496e528
Call Trace:
[<ffffffff81ad8d30>] __delay+0x10/0x20 arch/x86/lib/delay.c:160
[<ffffffff81ad8d6a>] __const_udelay+0x2a/0x30 arch/x86/lib/delay.c:174
[<ffffffff81cc45ff>] wait_for_xmitr+0x6f/0x1e0
drivers/tty/serial/8250/8250_port.c:1725
[<ffffffff81cc4790>] serial8250_console_putchar+0x20/0x60
drivers/tty/serial/8250/8250_port.c:2806
[<ffffffff81caf7c6>] uart_console_write+0x56/0xe0
drivers/tty/serial/serial_core.c:1789
[<ffffffff81cce12b>] serial8250_console_write+0x2fb/0x870
drivers/tty/serial/8250/8250_port.c:2872
[<ffffffff81cbd84f>] univ8250_console_write+0x5f/0x70
drivers/tty/serial/8250/8250_core.c:594
[<ffffffff8121c8ff>] call_console_drivers.constprop.0+0x1ef/0x3f0
kernel/printk/printk.c:1468
[<ffffffff8121fe02>] console_unlock kernel/printk/printk.c:2335 [inline]
[<ffffffff8121fe02>] console_unlock+0x602/0xa10 kernel/printk/printk.c:2242
[<ffffffff812205c2>] vprintk_emit+0x3b2/0x820 kernel/printk/printk.c:1837
[<ffffffff81220a58>] vprintk+0x28/0x30 kernel/printk/printk.c:1848
[<ffffffff813afd6f>] printk+0xc2/0xf5 kernel/printk/printk.c:1927
[<ffffffff8214fb45>] binder_alloc_mmap_handler+0x655/0x820
drivers/android/binder_alloc.c:734
[<ffffffff8212a528>] binder_mmap+0x1d8/0x2f0 drivers/android/binder.c:4966
[<ffffffff8144893b>] mmap_region+0x87b/0x1090 mm/mmap.c:1696
[<ffffffff81449634>] do_mmap+0x4e4/0xa20 mm/mmap.c:1473
[<ffffffff81409daa>] do_mmap_pgoff include/linux/mm.h:1917 [inline]
[<ffffffff81409daa>] vm_mmap_pgoff+0x16a/0x1c0 mm/util.c:296
[<ffffffff81447b4a>] SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
[<ffffffff81447b4a>] SyS_mmap_pgoff+0xfa/0x1b0 mm/mmap.c:1481
[<ffffffff81016bf6>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
[<ffffffff81016bf6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 00 41 55 41 54 53 e8 28 45 68 ff e8 a3 1f 03 00 41 89 c5 0f ae e8 0f
31 48 c1 e2 20 48 09 c2 49 89 d4 eb 16 f3 90 bf 01 00 00 00 <e8> 03 45 68
ff e8 7e 1f 03 00 44 39 e8 75 36 0f ae e8 0f 31 48

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 32208917 UPSTREAM: HID: sony: remove redundant check for -..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=150078b9400000
kernel config: https://syzkaller.appspot.com/x/.config?x=3303f42e9d7e07c5
dashboard link: https://syzkaller.appspot.com/bug?extid=df76c99689b1ae5ce6c8

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ab8999400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11776fc5400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+df76c9...@syzkaller.appspotmail.com

INFO: task syz-executor288:2541 blocked for more than 140 seconds.
Not tainted 4.9.135+ #60

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

syz-executor288 D28584 2541 2152 0x00000004
ffff8801c4be17c0 0000000000000000 ffff8801ca1d6e00 ffffffff8302a180
ffff8801db621018 ffff8801ca2afc50 ffffffff827f93d2 ffff8801ca2afc28
ffffffff81206ab7 0000000000000000 00ff8801c4be2068 ffff8801db6218f0
Call Trace:
[<ffffffff827fa8ff>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff8280565c>] rwsem_down_read_failed+0x26c/0x400
kernel/locking/rwsem-xadd.c:260
[<ffffffff81b69148>] call_rwsem_down_read_failed+0x18/0x30
arch/x86/lib/rwsem.S:94
[<ffffffff82803432>] __down_read arch/x86/include/asm/rwsem.h:65 [inline]
[<ffffffff82803432>] down_read+0x52/0xb0 kernel/locking/rwsem.c:24
[<ffffffff810b2e6b>] __do_page_fault+0x7db/0xa60 arch/x86/mm/fault.c:1342
[<ffffffff810b3147>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
[<ffffffff8280a675>] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:951

Showing all locks held in the system:

2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131bb4c>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131bb4c>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe314>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2022:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82807722>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+.+.}, at: [<ffffffff81d2b032>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor288/2541:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810b2e6b>]
__do_page_fault+0x7db/0xa60 arch/x86/mm/fault.c:1342
1 lock held by syz-executor288/2542:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6681>] exit_mm
kernel/exit.c:480 [inline]
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6681>]
do_exit+0x3c1/0x29d0 kernel/exit.c:820
1 lock held by syz-executor288/2543:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6681>] exit_mm
kernel/exit.c:480 [inline]
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6681>]
do_exit+0x3c1/0x29d0 kernel/exit.c:820

=============================================

NMI backtrace for cpu 1

CPU: 1 PID: 24 Comm: khungtaskd Not tainted 4.9.135+ #60
ffff8801d9907d08 ffffffff81b36bf9 0000000000000000 0000000000000001
0000000000000001 0000000000000001 ffffffff81098330 ffff8801d9907d40
ffffffff81b41d09 0000000000000001 0000000000000000 0000000000000003
Call Trace:
[<ffffffff81b36bf9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b36bf9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b41d09>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b41c9c>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff81098434>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c0dd>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c0dd>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c0dd>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c0dd>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff811428dd>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff8280981c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373

Sending NMI from CPU 1 to CPUs 0:

NMI backtrace for cpu 0

CPU: 0 PID: 2544 Comm: syz-executor288 Not tainted 4.9.135+ #60
task: ffff8801c4be4740 task.stack: ffff8801c9cb0000
RIP: 0010:[<ffffffff81205761>] c [<ffffffff81205761>] mark_lock+0x1/0x1290
kernel/locking/lockdep.c:3032
RSP: 0018:ffff8801c9cb7af8 EFLAGS: 00000002
RAX: 0000000000000004 RBX: 0000000000000000 RCX: 1ffff1003897ca02
RDX: 0000000000000006 RSI: ffff8801c4be4ff0 RDI: ffff8801c4be4740
RBP: ffff8801c9cb7b48 R08: ffff8801c4be5010 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801c4be4ff0
R13: ffffed003897c9fd R14: ffff8801c4be4740 R15: dffffc0000000000
FS: 00007fc08a2be700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fc160e55fe0 CR3: 00000001ca5ac000 CR4: 00000000001606b0
Stack:
ffff8801c9cb7b48 c ffffffff81206ab7 c ffff8801ca3de060 c ffff8801c4be4fe8 c
0000000600000007 c ffff8801c4be4740 c ffffffff8280209b c 1ffff10039396f72 c
0000000000000246 c ffff8801c9cb7bb0 c ffff8801c9cb7b68 c ffffffff81206eab c
Call Trace:
[<ffffffff81206eab>] __trace_hardirqs_on_caller
kernel/locking/lockdep.c:2689 [inline]
[<ffffffff81206eab>] trace_hardirqs_on_caller+0x38b/0x590
kernel/locking/lockdep.c:2736
[<ffffffff812070bd>] trace_hardirqs_on+0xd/0x10
kernel/locking/lockdep.c:2743
[<ffffffff8280209b>] __mutex_unlock_common_slowpath
kernel/locking/mutex.c:753 [inline]
[<ffffffff8280209b>] __mutex_unlock_slowpath+0x25b/0x3c0
kernel/locking/mutex.c:765
[<ffffffff82802209>] mutex_unlock+0x9/0x10 kernel/locking/mutex.c:437
[<ffffffff813d98aa>] perf_mmap+0x64a/0x1430 kernel/events/core.c:5278
[<ffffffff814b417c>] mmap_region+0x80c/0xf90 mm/mmap.c:1726
[<ffffffff814b4e3d>] do_mmap+0x53d/0xbb0 mm/mmap.c:1505
[<ffffffff81469e48>] do_mmap_pgoff include/linux/mm.h:2032 [inline]
[<ffffffff81469e48>] vm_mmap_pgoff+0x168/0x1b0 mm/util.c:329
[<ffffffff814af4ee>] SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
[<ffffffff814af4ee>] SyS_mmap_pgoff+0xfe/0x1b0 mm/mmap.c:1513
[<ffffffff8105d376>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
[<ffffffff8105d376>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82809653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c16 c04 c03 c85 cc0 c0f c84 cc6 ca8 c1f c00 c48 c83 cc4
c40 c31 cc0 c5b c41 c5c c41 c5d c41 c5e c41 c5f c5d cc3 c4c
c89 cff ce8 c36 cd8 c2e c00 ceb cd7 c0f c1f c40 c00 c55
c<4c> c8d c46 c20 c89 cd1 c48 cb8 c00 c00 c00 c00 c00 cfc
cff cdf c48 c89 ce5 c41 c57 c